Anaconda Realm Integration
Kickstart will have a 'realm join example.com' command, to join the machine during install to an AD or FreeIPA domain. This will take place using one time passwords or password-less joins to an AD or FreeIPA domain.
- Name: Vratislav Podzimek
- Email: email@example.com
- Name: Stef Walter
- Email: firstname.lastname@example.org
- Targeted release: Fedora 19
- Last updated: 2013-05-14
- Percentage of completion: 100%
- Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=874450
realmd is an on demand system DBus service, which allows callers to configure network authentication and domain membership in a standard way. realmd discovers information about the domain or realm automatically and does not require complicated configuration in order to join a domain or realm.
By integrating realmd with Kickstart and Anaconda, administrators will be able to add machines to a domain en-masse. This can be done without leaking administrative domain credentials into the kickstart fail.
In addition there will be a GUI for joining a domain during the anaconda install process.
This will be implemented as an Anaconda addon, to help keep the scope and base feature set of Anaconda in check.
Benefit to Fedora
Provides a best-practice standard way to deploy Fedora machines on an Active Directory or FreeIPA domain. realmd was integrated in Fedora 18, and this builds on that feature.
A new anaconda addon will be created. This addon will be distributed with the Fedora distribution by default.
How To Test
Precreate a computer account in an Active Directory domain with the adcli tool:
$ adcli preset --user=AdminUser --verbose --domain ad.example.com --one-time-password=MyPassword machine
Add the following lines to a kickstart file (which already has basic kickstart contents, sets up network, etc...):
network --hostname=machine.ad.example.com realm join --one-time-password=MyPassword ad.example.com
Further testing documentation to follow.
Administrators will see a new kickstart command to include in their kickstart files. Users will see the option to join a domain in the installer.
If the Anaconda GUI parts cannot be completed in time, then the kickstart command will be delivered without the GUI bits.
This is being developed as an addon. This makes it very simple to remove the feature as a contingency.
Documentation to follow.
- Fedora can now join a domain from a kickstart file, using one time passwords and a simple syntax.